I know most of the tech community likes to joke about this but I think there's something serious to consider:
How can we educate the wider public that breaking crypto makes everything less secure. Most of the arguments I've seen in the wider context seem to split down tech/non-tech lines with this being the key point that's not understood.
I think one easy way would be explaining the NSA's other job—ensuring COMSEC for the government, military, and "essential" industrial players. Requiring "breakable" crypto everywhere would mean 'the terrorists win' in a very literal sense—the same sense in which the break of Enigma was a key part of Germany's loss in WWI.
But, of course, the government won't have to use breakable crypto; only the citizenry will be beholden to that requirement. So instead, it will merely be those 'essential' industrial players, now constantly finding their foreign rivals to have the upper hand in trade negotiations and to seemingly predict their moves.
I think that's the key here: broken crypto, on a large scale, doesn't just mean a panopticon; it also means whoever's using it will inevitably suffer large-scale economic stagnation. Standardizing on breakable crypto is equivalent to making laws with large loopholes to allow industrial espionage into the country.
If you want to scare people into defending crypto, point out that it's the shield on the arm of the negotiators who sign things like the TPP agreement. Small business owners—even if they themselves have no trade secrets to protect—will be directly affected by whether crypto can protect the secrets of their industry from their foreign equivalents. (Your local {sports clothing, christmas ornament, office furniture} industry recently take a nosedive? Maybe someone was cornered into a bad deal because all your local supply-chain logistics were plain on the table to China, but theirs were a mystery to us.) And small business owners are a pretty good voting bloc.
It got plenty of traction among key demographics. It's a good populist talking point and Trump brought it up a number of times. The kernel of truth in the messages is: whatever the right policy happens to be, it's not Apple's call to make. The elected government should decide the balance to strike between protecting communications and keeping us safe from terrorists.
Well for one reaching the wider public is hard. Well, unless, Google, Apple and others take our side. Which is plausible.
Then after reaching the public there must be a compelling relatable story. Applied did it a bit when replying to FBI's request:
-- Weak encryption means more identity theft. This is a good one. Everyone knows someone who lost a phone, a wallet and then thieves emptied bank accounts, caused grief, time wasted and pain for years to come. This works and is great.
Others I can think of:
-- Point to large scale data breaches, even Government's own OPM office was hacked by Chinese. Having back-doors in everything means more such large scale failures.
-- Take their own rhetoric and spin it around. Look Snowden stole all those documents right under the nose of the NSA. Point to their own incompetence and say imagine future such incidents with a perpetrator walking away with "master keys". Remember to repeat phrases like "it is not a matter of if but a matter of when". That was used by talking head security experts on TV post 9/11, this one works great. I like it.
-- Point to physical analogies where master key has been lost. Was it a case for NYFD or some place like that. Where it was mandated all these places have a master key and it was copied and used for criminal activity.
-- Find something with terrorists. Nobody will ever defend terrorists. Any case where Chinese terrorists hacked Google through a backdoor created to handle government's access to data.
-- Everyone loves freedom of speech and hates when worthy dissidents in countries we don't like are martyred. Point out how strong encryption has saved lives and provided the only channel for communication freedom fighters.
> Point to physical analogies where master key has been lost. Was it a case for NYFD or some place like that. Where it was mandated all these places have a master key and it was copied and used for criminal activity.
I would point out that these "keys" are actually computer files that act like digital keys (obviously), and the bad guy will instantly make 100,000 plus copies of the key and distribute it to his network of bad guys (bot net) and begin breaking into hundreds of thousands of houses every hour.
Also, what happened to all the talk about cybersecurity? It seems like the TV media was interested in cybersecurity for awhile, but I don't hear about it anymore.
Conservative "think tanks" are super good at reframing concepts in a favorable way, referring to estate taxes as "death taxes" for example. Maybe we need a crypto "think tank" that can help, but it doesn't seem like there are many politicians who support cryptography.
Play to different fears, e.g.: "Anything that makes it easier for the government to track criminals also makes it easier for stalkers to track their victims."
I've thought about this quite a bit, and think the tech community is going about this wrong. The public doesn't like being told it can't be done, but I can't explain why, because it's too complicated.
Even though we know it's impossible, we should disregard that and lay out common sense tenants that such system would require, even if it can't be feasibly built. We could then base our arguments on those tenants, and those are public fights I think could be won, because its things non technical people could understand.
For instance, one tenant could be any key escrow system must be open source. We can't base it off keeping the code secret, as then if the code is ever stolen or leaked, the whole system is compromised.
If you can win those arguments, and it just happens such a system can't be built due to the laws of mathematics, you then fall back to arguing which tenants you should break, and ideally breaking any of the tenants would be unpalatable.
I think you are grossly overestimating the general public's ability to consume and understand a technically complicated argument no matter how well-reasoned.
During a discussion about privacy, the next time someone says "they have nothing to hide" then ask them for their social security number and mother's maiden name.
This quip misses the underlying reasoning though. I have nothing to hide from entities I trust, like my bank or the government. Heck, my bank and the government know my SSN. You, in the other hand, I don't trust you.
What's to stop someone you don't trust getting into government or banking after those institutions gain extensive access to your information? (Maybe the safeguards are stronger where you live than where I live, but are they strong enough and will they remain in place?)
Those institutions already have extensive access to my information. I trust my bank with my life savings; I trust the government with my retirement and old age medical care. I can certainly trust them with my text messages. Sure there are vulnerabilities, but that's what insurance is for.
My last comment was sloppy and I agree with much of your reply. However, the governments that serve their populations well do so in virtue of their structures and office-holders, both of which change over time.
My concern is that any increase in already substantial state powers poses a twofold threat. Firstly, it makes future increases more difficult to oppose. Secondly, it risks falling into the hands of irresponsible future office holders.
I suggest that you wouldn't be able to trust your government with your text messages if you fell into one of the following three categories: freedom fighter, wrongly suspected of crime due to unchallengeable secret evidence and targeted for state-imposed restrictions without explanation, actual criminal (possibly under a homophobic, misogynistic or racist law).
I'm not sure about the banks, but maybe some of the above applies to them, too.
The New Zealand parliament has identified five "institutionalised checks on executive power". (They are a codified constitution, an elected head of state, a bicameral legislature, devolved powers and proportional representation.[0]) Only two exist in my country (the United Kingdom), neither of which is available to me, because one of our legislative chambers is unelected and (like the majority of the population) I don't live under the jurisdiction of a devolved legislature.
I don't understand your last sentence. By "insurance", do you primarily mean checks and balances? If so, which ones matter to you?
Yes, exactly. Rather, you should ask someone if they close the curtains before they have sex with their spouse. Or, more's to the point, ask them whether they should be required, when having any house built, to include a government issue sex spycam installed in their ceiling. Because if bedrooms are safe and the government can't spy on them at will, terrorists will plot in bedrooms.
I think that might be too subtle. I'd go with "It's like mailing a check in a transparent envelope with the amount and pay-to fields erasable and written in with a dry erase marker."
Even more so--"It's like forcing everything sent by mail to be sent in a transparent envelope and then publishing in the news every route that mailmen take and the easiest points where to intercept them."
Laws dictating how to/not to encrypt things make news really quickly so it takes even takes out all the fun in security research.
More like: The government wants a master key that will unlock all the doors on your home, but they super promise to be real careful not to let anyone else use it.
But that's just it, and this is why techies often sound unreasonable: there absolutely is a well-defined system whereby the government can get into your home. And they do promise to be careful with that power. And they also promise to help protect you against other people's using that power. To most people, this whole debate sounds like we're saying everyone should have easy access to impossible to vaults of arbitrary size, which law enforcement can't access under any circumstances. In the physical world, hardly anyone (including me) would be in favor of such a thing. I's not hard to imagine abuses of these vaults that we wouldn't want to tolerate. If it's different in the digital world (and I tend to believe it is), the burden is on us to explain why.
Imagine the police response time to a black neighborhood where gun violence has just been reported. Now imagine the police don't have guns, cars, or any knowledge of the law because there is no black and white law. Now imagine you live in that black neighborhood. That black neighborhood is called the internet. And the government is trying to outlaw locking your door.
Another: it's like requiring safe manufacturers to have a master combination to unlock any safe.
(or, closer to what the article states: it's like requiring safe manufacturers to open any safe the government gives them, or at least require the manufacturer to provide technical assistance in breaking into their own safe)
How can we educate the wider public that breaking crypto makes everything less secure. Most of the arguments I've seen in the wider context seem to split down tech/non-tech lines with this being the key point that's not understood.